PHP Detect HTTP Method of Referer?

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

User avatar
JAB Creations
DevNet Resident
Posts: 2341
Joined: Thu Jan 13, 2005 6:44 pm
Location: Sarasota Florida
Contact:

PHP Detect HTTP Method of Referer?

Post by JAB Creations »

I can detect if the page has a referer...

Code: Select all

if(isset($_SERVER['HTTP_REFERER']))
What I'm not sure about is how to detect an HTTP method of the referer.

I've tried...

Code: Select all

if (isset($_POST))
...and...

Code: Select all

if (!isset($_POST))
...and I get a false positive or a true negative or whatever. Echoing $_POST just spits out "array". What am I doing wrong?

*Edit* I always find stuff after I post though I'm still a bit baffled, HttpMessage::getRequestMethod. How can I echo that out? Here is an example I've tried...

Code: Select all

echo '<b>' . $_SERVER['getRequestMethod'] . '</b>';
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

$_SERVER['REQUEST_METHOD']
User avatar
JAB Creations
DevNet Resident
Posts: 2341
Joined: Thu Jan 13, 2005 6:44 pm
Location: Sarasota Florida
Contact:

Post by JAB Creations »

So close yet so far away! Is there some golden rule I should know about for using HTTP extensions?
http://us3.php.net/http

Thanks!
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

Sorry, what?
User avatar
JAB Creations
DevNet Resident
Posts: 2341
Joined: Thu Jan 13, 2005 6:44 pm
Location: Sarasota Florida
Contact:

Post by JAB Creations »

I was looking at this page...
http://us3.php.net/manual/en/function.H ... Method.php

The refering page listed this...
HttpMessage::getRequestMethod — Get request method

at...
http://us3.php.net/http

I initially tried...

Code: Select all

echo $_SERVER['getRequestMethod']
and...

Code: Select all

echo $_SERVER['HttpMessage::getRequestMethod']
I'm missing the part where I'm supposed to remove HttpMessage::get from the equation?
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

The reference you are looking at is for a set of classes available in PHP 5 and functions for PHP 4.
User avatar
JAB Creations
DevNet Resident
Posts: 2341
Joined: Thu Jan 13, 2005 6:44 pm
Location: Sarasota Florida
Contact:

Post by JAB Creations »

So I'm looking at something completely different?

Here is a better question for me: what words would best find what I was looking for in Google? The better I know how to research on my own the fewer questions I have to ask. :wink:

Thanks again. :D
User avatar
aaronhall
DevNet Resident
Posts: 1040
Joined: Tue Aug 13, 2002 5:10 pm
Location: Back in Phoenix, missing the microbrews
Contact:

Post by aaronhall »

The manual page "Predefined Variables covers this -- this is incidentally the first Google result for "php request method"
User avatar
volka
DevNet Evangelist
Posts: 8391
Joined: Tue May 07, 2002 9:48 am
Location: Berlin, ger

Post by volka »

Let's take a look at the request my browser sent to retrieve this page.
It opened a socket to the server and sent character-by-character
GET /posting.php?mode=reply&t=64809 HTTP/1.1
Host: forums.devnetwork.net
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.8.1.2) Gecko/20070219 Firefox/2.0.0.2
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.8,de-de;q=0.5,de;q=0.3
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: viewtopic.php?t=64809
Cookie: phpbb2mysql_data=
It sent the referer url. Or (the other way round) anything the client sends in the referer header you can find in _SERVER['HTTP_REFERER']. If the client chooses to send Referer: Mary had a little lamb then there's nothing you can do about it. There's no header defined for the method used to retrieve the referer url and standard clients will not send this kind of information. Therefore you cannot do what you want with php.
User avatar
JAB Creations
DevNet Resident
Posts: 2341
Joined: Thu Jan 13, 2005 6:44 pm
Location: Sarasota Florida
Contact:

Post by JAB Creations »

If the client sends Mary had a little lamb for their referer they're probably too drugged up to worry about not viewing my site. :lol: Seriously though people who mess with the normal settings of their computer and browser for "privacy" while doing regular surfing need to learn what constitutes a breech of privacy and to realize that the only true threat to their privacy is their potential action to type their name or other personally identifiable information to a website.
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

Referral information is optional and should be treated that way.

Your name is not the only thing that can divulge information.

http://yro.slashdot.org/article.pl?sid= ... 3&from=rss
User avatar
volka
DevNet Evangelist
Posts: 8391
Joined: Tue May 07, 2002 9:48 am
Location: Berlin, ger

Post by volka »

And in this case the "mary had a little lamb" thing was not meant for security resons but to illustrate that the referer information is something the client has to send (willingly) with the http request. It may send the url, but it does not send the method used to retrieve the doc.
User avatar
JAB Creations
DevNet Resident
Posts: 2341
Joined: Thu Jan 13, 2005 6:44 pm
Location: Sarasota Florida
Contact:

Post by JAB Creations »

Even in the rare instances of identified click-print identities they remain just that, click-print identities. The only way previous non-POST click-print identities could be identified without access to ISP records would be for the surfer to submit identifiable information. Until then user = X but we still don't know who X is.

By requiring the POST to come from a specific source we can with additional coding and other methods ensure that the user's information is encrypted in an SSL session in example. If we detect that the POST was not from a preferred source then we can warn the user that while their information is correct that their POST may have been compromised as it was not encrypted.
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

So long as your script doesn't break or die because someone doesn't supply you with referral information, it's perfectly fine to check, but if it breaks functionality, that's not very nice, no matter how you play it.
User avatar
volka
DevNet Evangelist
Posts: 8391
Joined: Tue May 07, 2002 9:48 am
Location: Berlin, ger

Post by volka »

JAB Creations wrote:By requiring the POST to come from a specific source we can with additional coding and other methods ensure that the user's information is encrypted in an SSL session in example. If we detect that the POST was not from a preferred source then we can warn the user that while their information is correct that their POST may have been compromised as it was not encrypted.
Are you concerned about man-in-the-middle attacks or faulty server setups (allowing http where https should be necessary)?
Bad-guy could send the referer you want and for ssl-or-not take a look at
Server variables: $_SERVER wrote:'HTTPS'

Set to a non-empty value if the script was queried through the HTTPS protocol.

Note that when using ISAPI with IIS, the value will be off if the request was not made through the HTTPS protocol.
Post Reply